FS-072600-8-ANA.txt

` Foundstone, Inc.  
http://www.foundstone.com  
"Securing the Dot Com World"  
  
Security Advisory  
  
AnalogX "SimpleServer:WWW" dot dot bug  
  
----------------------------------------------------------------------  
FS Advisory ID: FS-072600-8-ANA  
  
Release Date: July 26, 2000  
  
Product: SimpleServer:WWW  
  
Vendor: AnalogX (http://www.analogx.com)  
  
Vendor Advisory: New patched version 1.07 available  
  
Type: Ability to retrieve any known file from  
hosting system  
  
Severity: High  
  
Author: Robin Keir([email protected])  
Stuart McClure ([email protected])  
Foundstone, Inc. (http://www.foundstone.com)  
  
Operating Systems: All Windows operating systems supported by  
SimpleServer  
  
Vulnerable versions: SimpleServer:WWW 1.06 (and possibly previous  
versions)  
  
Foundstone Advisory: http://www.foundstone.com/advisories.htm  
----------------------------------------------------------------------  
  
Description  
  
AnalogX SimpleServer:WWW is a simple but effective web server  
designed for the home or small business user. Its main claim  
is ease of use and setup.  
  
SimpleServer is vulnerable to a "relative directory path"  
attack that allows a remote user to retrieve any known file  
from the file system of the server on which it is hosted.  
  
Details  
  
In normal use SimpleServer protects against accessing files  
above the directory in which the server is installed. It has  
been proven to correctly deny access when using URLs of the  
following format:  
  
http://www.victim.com/../file.dat  
  
However, by substituting the dot characters with their  
equivalent hexadecimal URL encoded format of %2E this  
restriction is removed, giving the attacker full read access  
to any file on the remote system.  
  
Proof of concept  
  
A HTTP request of the form  
  
http://www.victim.com/%2E%2E/file.dat  
  
will succeed in retrieving the file "file.dat" from one  
directory level above the server root directory if it exists.  
Using similar URL requests it has been shown that any known  
file on the system can be retrieved. For example, assuming  
the default installation location of SimpleServer a request  
of the form:  
  
http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat  
  
would retrieve the remote users registry file from a Windows  
95/98 machine and this would highly likely contain confidential  
information.  
  
Another example here shows that it is possible to retrieve the  
log files from the web server directory itself:  
  
http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/  
SimpleServer/www/server.log  
  
Solution  
  
Download SimpleServer:www version 1.07 from  
  
http://www.analogx.com/contents/download/network/sswww.htm  
  
Prelimiary tests of the fix by Foundstone have confirmed the  
problem is corrected.  
  
Credits  
  
We would like to thank AnalogX for their prompt reaction to  
this problem and their co-operation in heightening security  
awareness in the security community.  
  
Disclaimer  
  
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT  
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS  
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY  
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR  
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED  
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE  
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE  
ADVISORY IS NOT MODIFIED IN ANY WAY.  
  
`